Cloudflare Zero Trust Integration Guide

Overview

The Cloudflare Zero Trust integration allows your NINA workflows to connect with Cloudflare's Zero Trust platform. This integration enables you to manage access applications, configure security policies, and control network traffic through automated workflows, helping you incorporate comprehensive Zero Trust security controls into your security operations.

Cloudflare Zero Trust is a comprehensive security platform that provides secure access to applications and networks without the need for traditional VPN infrastructure. The NINA integration provides a streamlined way to automate Zero Trust security operations in your workflows.

Status

Currently, our integration supports comprehensive management of core Zero Trust components including:

Access Management

• Access Applications: Create, update, list, delete, and revoke tokens for applications protected by Zero Trust Access
• Access Application Policies: Manage application-specific policies with approval workflows, session controls, and isolation requirements
• Access Policies: Create and manage reusable policies with include/exclude/require rules and decision logic (allow, deny, bypass, non-identity)

Gateway Security

• Gateway Rules: Create comprehensive traffic filtering rules with actions including block, allow, isolate, redirect, and quarantine
• Gateway Lists: Manage domain, IP, email, URL, and serial number lists for traffic filtering
• Gateway Locations: Configure network locations for policy enforcement
• Gateway Configuration: Manage account-wide settings including block pages, TLS interception, antivirus scanning, and browser isolation

Gateway Infrastructure

• Gateway Certificates: Manage SSL/TLS certificates for traffic interception
• Gateway Logging: Configure activity logging and audit settings
• Gateway Proxy Endpoints: Manage proxy endpoints for traffic routing
• Gateway Categories: Access predefined content categories for filtering
• Gateway App Types: List application types for policy creation

Our integration does not yet support several advanced Zero Trust capabilities, including but not limited to:

• Device Posture Management: Device health checks, compliance validation, and endpoint security assessment
• WARP Client Management: Client configuration, deployment, and device enrollment
• Tunnel Management: Cloudflare Tunnel creation, configuration, and management
• DLP (Data Loss Prevention): Advanced data classification, scanning profiles, and policy management
• CASB (Cloud Access Security Broker): SaaS application discovery, risk assessment, and security controls
• Email Security: Email routing, filtering, and threat protection
• Browser Isolation: Advanced isolation policy management beyond basic rule settings
• Analytics and Reporting: Detailed usage analytics, security reports, and dashboards
• Identity Provider Integration: Advanced SAML/OIDC configuration and management
• API Shield: API discovery, schema validation, and protection
• Magic Transit: Network-level DDoS protection and traffic steering
• Magic WAN: SD-WAN connectivity and network optimization

For a comprehensive list of Cloudflare Zero Trust capabilities, refer to the official API documentation at https://developers.cloudflare.com/api/go/resources/zero_trust/

Credential Configuration

Before using the Cloudflare Zero Trust integration in your workflows, you need to configure credentials for authentication.

Authentication Method

The Cloudflare Zero Trust integration uses API Token authentication:

Field	Description	Example
Base URL	Cloudflare API base URL	https://api.cloudflare.com/client/v4
API Token	API token for authentication	AbCdEf123456789-XyZ_TokenString
Account ID	Cloudflare account identifier	a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
Auth Type	Authentication type	bearer

How to get your API Token:

1. Log in to the Cloudflare dashboard
2. Go to "My Profile" → "API Tokens"
3. Click "Create Token"
4. Use the "Custom token" template or select "Zero Trust" preset
5. Configure the required permissions:
   • Zone:Zone:Read (if managing zone-specific resources)
   • Account:Cloudflare Access:Edit
   • Account:Cloudflare Gateway:Edit
6. Copy the generated token

How to find your Account ID:

1. Log in to the Cloudflare dashboard
2. Select your account from the account selector
3. The Account ID is displayed in the right sidebar under "API"

Creating a Cloudflare Zero Trust Credential

1. Navigate to the Credentials section in NINA

2. Click Add New Credential

3. Fill in the credential details:

   • Name: A descriptive name (e.g., "Cloudflare Zero Trust Production")
   • Description: Optional details about the credential's purpose
   • Integration Service: Select "Cloudflare Zero Trust"
   • Auth Type: "Bearer Token" (this should be automatically selected)
   • Base URL: Enter the Cloudflare API base URL
   • API Token: Enter your Cloudflare API token
   • Account ID: Enter your Cloudflare account ID

4. Click Test Connection to verify credentials

5. Click Save to store the credential

Supported Resources and Operations

The Cloudflare Zero Trust integration supports the following resources and operations:

Access Applications

Manage applications protected by Cloudflare Access.

Operation	Description
Create	Create a new Access application
Get	Retrieve details of a specific application
List	List all Access applications with optional filtering
Update	Update application configuration
Delete	Delete an Access application
Revoke Tokens	Revoke all tokens issued for an application

Access Application Policies

Manage policies specific to individual applications.

Operation	Description
Create	Create an application-specific policy
Get	Retrieve policy details
List	List all policies for an application
Update	Update policy configuration
Delete	Delete an application policy

Access Policies

Manage reusable policies that can be applied across multiple applications.

Operation	Description
Create	Create a reusable Access policy
Get	Retrieve policy details
List	List all reusable policies
Update	Update policy configuration
Delete	Delete a reusable policy

Gateway Rules

Create and manage traffic filtering rules for network security.

Operation	Description
Create	Create a new Gateway rule with traffic filtering logic
Get	Retrieve rule details
List	List all Gateway rules
Update	Update rule configuration
Delete	Delete a Gateway rule

Gateway Lists

Manage lists of domains, IPs, URLs, and other identifiers for use in Gateway rules.

Operation	Description
Create	Create a new Gateway list
Get	Retrieve list details
List	List all Gateway lists
Update	Update entire list contents
Patch	Add or remove specific items from a list
Delete	Delete a Gateway list

Gateway Locations

Manage network locations for policy enforcement.

Operation	Description
Create	Create a new Gateway location
Get	Retrieve location details
List	List all Gateway locations
Update	Update location configuration
Delete	Delete a Gateway location

Gateway Configuration

Manage account-wide Gateway settings.

Operation	Description
Get	Retrieve current Gateway configuration
Update	Update Gateway settings (block pages, TLS, antivirus, etc.)

Additional Resources

Resource	Operations	Description
Gateway Certificates	Create, Get, List, Delete	Manage SSL/TLS certificates
Gateway Logging	Get, Update	Configure activity logging
Gateway Proxy Endpoints	Create, Get, List, Delete	Manage proxy endpoints
Gateway Categories	List	Access content categories
Gateway App Types	List	List application types
Gateway Account	Create, Get	Manage Gateway account

Parameter Merging

The Cloudflare Zero Trust integration takes advantage of NINA's parameter merging capabilities:

Parameter Sources (in order of precedence)

1. Node Parameters: Parameters configured directly in the Cloudflare Zero Trust Integration Node
2. Extracted Parameters: Parameters automatically extracted from the input data
3. Input Data: The complete input data from upstream nodes

When a Cloudflare Zero Trust Integration Node executes:

• It combines parameters from all sources
• Node parameters take precedence over extracted parameters
• The combined parameters are used to execute the Cloudflare Zero Trust operation

Example: Creating a Gateway Block Rule

One of the most common use cases is creating Gateway rules to block malicious traffic based on threat intelligence.

Basic Domain Blocking Rule

Below is an example of creating a Gateway rule to block access to malicious domains:

Node Configuration:

{
  "resource": "gatewayRule",
  "operation": "create",
  "parameters": {
    "name": "Block Malicious Domains",
    "description": "Block access to known malicious domains from threat intelligence",
    "action": "block",
    "enabled": true,
    "filters": ["dns"],
    "traffic": "dns.fqdn in $malicious_domains",
    "rule_settings": {
      "block_page_enabled": true,
      "block_reason": "Domain blocked due to security threat",
      "notification_settings": {
        "enabled": true,
        "msg": "Access to this domain has been blocked for security reasons. Contact IT support if you believe this is an error."
      }
    }
  }
}

This will create a DNS filtering rule that blocks domains in the $malicious_domains list and displays a custom notification to users.

IP Address Blocking Rule

You can also create rules to block specific IP addresses or ranges:

Node Configuration:

{
  "resource": "gatewayRule",
  "operation": "create",
  "parameters": {
    "name": "Block Malicious IPs",
    "description": "Block connections to known malicious IP addresses",
    "action": "block",
    "enabled": true,
    "filters": ["l4"],
    "traffic": "net.dst.ip in $malicious_ips",
    "rule_settings": {
      "block_page_enabled": false,
      "notification_settings": {
        "enabled": true,
        "msg": "Connection blocked to malicious IP address"
      }
    }
  }
}

Creating Gateway Lists for Block Rules

Before creating block rules, you often need to create Gateway lists containing the items to block:

Node Configuration:

{
  "resource": "gatewayList",
  "operation": "create",
  "parameters": {
    "name": "Malicious Domains",
    "description": "List of domains identified as malicious by threat intelligence",
    "type": "DOMAIN",
    "items": [
      {
        "value": "malicious-domain.com",
        "description": "Known phishing domain"
      },
      {
        "value": "evil-site.net",
        "description": "Malware distribution site"
      }
    ]
  }
}

Example: Access Policy Automation

The integration also supports automating access control policies for applications.

Creating a Conditional Access Policy

Node Configuration:

{
  "resource": "accessPolicy",
  "operation": "create",
  "parameters": {
    "name": "High-Risk Application Access",
    "decision": "allow",
    "include": [
      {
        "email_domain": {
          "domain": "company.com"
        }
      }
    ],
    "require": [
      {
        "device_posture": [
          "compliant-device-policy-id"
        ]
      }
    ],
    "session_duration": "8h",
    "purpose_justification_required": true,
    "purpose_justification_prompt": "Please provide a business justification for accessing this high-risk application."
  }
}

This creates a policy requiring company email domain membership, device compliance, and business justification for access.

Integration in Workflow Context

The Cloudflare Zero Trust integration is particularly powerful when combined with other nodes in a workflow:

Common Workflow Patterns:

1. Threat Intelligence to Block Rules:

   • Threat Intel Feed → Script Node (extract IOCs) → Cloudflare Gateway List Node (update) → Cloudflare Gateway Rule Node (create/update) → Slack Node (notify)

2. Automated Incident Response:

   • Security Alert → Script Node (extract indicators) → Cloudflare Gateway Rule Node (block malicious IPs) → SIEM Node (update case) → Email Node (notify SOC)

3. Access Policy Automation:

   • HR System Node (new employee) → Script Node (process user data) → Cloudflare Access Policy Node (create user policy) → Directory Node (update groups)

4. Compliance Reporting:

   • Schedule Node → Cloudflare Gateway Rules Node (list) → Script Node (generate report) → Database Node (store) → Email Node (send report)

Response Structure Examples

Gateway Rule Creation Response

{
  "success": true,
  "errors": [],
  "messages": [],
  "result": {
    "id": "rule123abc",
    "name": "Block Malicious Domains",
    "description": "Block access to known malicious domains",
    "action": "block",
    "enabled": true,
    "filters": ["dns"],
    "traffic": "dns.fqdn in $malicious_domains",
    "precedence": 1000,
    "created_at": "2023-08-15T14:22:13.000Z",
    "updated_at": "2023-08-15T14:22:13.000Z"
  }
}

Gateway List Response

{
  "success": true,
  "errors": [],
  "messages": [],
  "result": {
    "id": "list456def",
    "name": "Malicious Domains",
    "description": "List of domains identified as malicious",
    "type": "DOMAIN",
    "count": 150,
    "created_at": "2023-08-15T14:22:13.000Z",
    "updated_at": "2023-08-15T14:22:13.000Z"
  }
}

Troubleshooting

Issue	Resolution
Authentication failures	Verify your API token is correct and has not expired. Ensure the token has the required permissions for Zero Trust resources. Check that your Account ID is correct.
Permission errors	Verify your API token has the necessary permissions (Cloudflare Access:Edit, Cloudflare Gateway:Edit). Recreate the token with broader permissions if needed.
Rate limiting	Cloudflare enforces rate limits on API calls. Implement delays between operations or use exponential backoff in your workflows.
Invalid rule syntax	Gateway rule traffic expressions use Wirefilter syntax. Verify your expressions match the expected format. Check the Cloudflare documentation for valid field names and operators.
List item validation errors	Ensure list items match the expected format for the list type (valid domains for DOMAIN lists, valid IPs for IP lists, etc.).
Rule precedence conflicts	Lower precedence values have higher priority. Ensure your rule precedence values don't conflict with existing rules.
Connection errors	Verify network connectivity to api.cloudflare.com. Check for firewall restrictions that might block HTTPS traffic.

Best Practices

1. Use Descriptive Names: Give your rules, policies, and lists descriptive names that clearly indicate their purpose and scope.

2. Implement Proper Precedence: Plan your Gateway rule precedence carefully. Use lower numbers for higher-priority rules (e.g., allow rules before block rules).

3. Test Rules Safely: Start with rules in a test environment or with enabled: false before deploying to production.

4. Monitor Rule Performance: Large lists and complex traffic expressions can impact performance. Monitor Gateway analytics for any performance issues.

5. Use Lists Efficiently: Create reusable Gateway lists that can be referenced by multiple rules instead of duplicating entries.

6. Implement Gradual Rollouts: When deploying new blocking rules, consider starting with logging-only rules to assess impact before enabling blocking.

7. Handle Errors Gracefully: Implement error handling in your workflows to manage API failures, rate limits, and validation errors.

8. Secure API Tokens: Use the principle of least privilege when creating API tokens. Only grant the minimum permissions required for your use case.

9. Cache List Data: If you're frequently updating large lists, consider caching the current state to avoid unnecessary API calls.

10. Document Rule Logic: Maintain clear documentation of your rule logic and the business requirements they address for easier maintenance and troubleshooting.

11. Regular Policy Review: Implement workflows to regularly review and update policies to ensure they remain aligned with security requirements.

12. Monitor API Usage: Keep track of your API usage to identify optimization opportunities and avoid rate limit issues.